Comment # 5
on bug 10729
from Michael Mann
(In reply to Pascal Quantin from comment #1)
> This crash is a side effect of ge3a04bb (Ensure dissector data parameter is
> used instead of pinfo->private_data when passing data between dissectors
> using the "media_type" subdissector).
>
> HTTP dissector is passing the media_str as "data" parameter:
> if (headers.content_type_parameters)
> media_str = wmem_strdup(wmem_packet_scope(),
> headers.content_type_parameters);
> [...]
> dissected = call_dissector_only(handle, next_tvb, pinfo, tree, media_str);
>
> while the xml dissector assumes that if data parameter is not NULL, it means
> that it can store a pointer in it:
> xml_frame_t **ret_frame = (xml_frame_t**)data;
> [...]
> if (ret_frame != NULL)
> *ret_frame = current_frame; /* pass XML structure to the dissector
> calling XML */
>
> It leads to the storage of 8 bytes (on a Linux x64 machine) in a 4 bytes
> long dynamic memory block, which corrupts the memory.
So we have two different "entrances" to XML dissector? One from HTTP (which
will be a "string") and one from XMPP (which will be an xml_frame_t).
You are receiving this mail because:
- You are watching all bug changes.